When trying to use an ACF2 logonid with the RESTRICT attribute in Connect:Direct, the following errors are seen:

ACF01007 A PASSWORD IS REQUIRED FOR LOGONID xxxxxxx
RACF002I PASSWORD specified not valid for USERID specified.

How can an ACF2 RESTRICT logonid be used with the Connect:Direct product?

Release : 16.0

A resource rule for resource type of PWD can be written to allow the Connect:Direct started task access to resource logonid.NOPSWD with the type PWD, where logonid is the logonid of the RESTRICT logonid:

$KEY(logonid) TYPE(PWD)
NOPSWD UID(uid string for STC) ALLOW

Connect:Direct issues a VERIFY signon request with PASSCHK=YES, but no password is available for an ACF2 RESTRICT logonid. To handle this situation ACF2 issues an AUTH request with the class of VERPSWD and a resource of logonid.NOPSWD to validate whether the Connect:Direct started task should proceed with the signon. If the VERPSWD validation fails, then the signon fails. If the VERPSWD validation is successful, then the signon proceeds without a password.

The RACROUTE AUTH call for CLASS='VERPSWD' is made with LOG=NOFAIL so if the authorization check fails, the attempt is not recorded, no SMF record is cut and the failed access does not show up in the ACFRPTRV report.